Introduction – from Hardware to the Cloud!
A hardware security module (HSM) is a physical computing device which safeguards and manages digital keys. They are used when security is important and include features such as auditing, tamper-proofing and encryption. However, as with all hardware devices there is expense and work involved in procuring, installing, upgrading and maintaining an HSM. This is where Azure Key Vault comes in. It provides the security of an HSM, but without the work of setting it up or maintaining it
What’s Azure Key Vault used for?
Whatever is stored in Azure Key Vault is safeguarded using industry-standard algorithms, HSMs and key lengths. The HSMs are Level 2 validated for Federal Information Processing Standard (FIPS). Microsoft provides the interface with which you can access the HSM device securely. For more assurance about the integrity of the key, you can generate it inside the HSM. Microsoft cannot access or extract your keys. Applications also have no direct access to the keys. Instead you’ll have to use Azure CLI, Portal or PowerShell as an interface.
Azure Key Vault can be used for key management as it makes it easy to create and control the encryption keys used to encrypt your keys. It can also be used for certificate management to enable you to easily provision, manage and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS).
Azure Key Vault supports three types of data, including:
- Secrets. These are values that are 25KB or less. They are written to and read from and can be used to store passwords, access keys or SQL connect strings.
- Keys. These are written to the key vault but cannot be exported. They are used for encryption and hash generation. Even when the key is used it can be configured not to leave the HSM and instead the cipher operations required are sent to the key vault service and the result returned.
- Data. Sensitive pieces of information can also be stored in Azure Key Vault.
When application secrets are centrally stored in Azure Key Vault, it’s easier to control their distribution. There’s no longer any need for application developers to store security information in their application, so they no longer need to make this information part of the code.
How does it work?
No-one (a user or an application) can get access to Azure Key Vault unless they have proper authentication and authorization. The identity of the caller is established through authentication. This is done via the Azure Active Directory. Authorization determines what operations the caller is allowed to carry out. Authorization can be done using role-based access control (RBAC) or Key Vault access policy.
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
Azure Key Vault also allows you to segregate application secrets. You can restrict applications access only to the vault that you allow; for example, you can create a Key Vault for each specific application and its team of developers.
What kind of operations are supported?
- For keys: Create, Import, Get, List, Backup, Restore, Delete, Update, Sign, Verify, Wrap, Unwrap, Encrypt & Decrypt
- For Secrets: Create, Update, Get, List, Delete
- For Certificates: Create, Update Policy, Contacts, Import, Renewal, Update
How is Azure Key Vault managed?
Key Vault management is allowed via REST, CLI, PowerShell and Azure Resource Manager. All keys and secrets added to Azure Key Vault have their own URL. Applications can access the keys they need by using the URLs, so there’s no need to write code to protect the secret information. Key Vault also has logging features. This makes it possible to monitor when and who accessed the contents of the Key Vault. The access logs are saved into an Azure storage account.
Valuable data must be secured, but also must be highly available. Using Azure Key Vault simplifies a lot of the administration needed to secure secrets.
- It can scale up quickly when needed.
- You can copy the contents of your key vault within a region and to another region to improve availability.
- It can be easily accessed via the portal, Azure CLI and PowerShell.
- Some tasks related to certificates can be automated.
Integration with other Azure services
Key Vault can be used to simplify Azure Data Encryption, the always encrypted functionality in Azure SQL Database. Key Vault can also integrate with storage accounts, log analytics and event hubs.